Path: utzoo!attcan!uunet!longway!std-unix
From: a...@bungia.bungia.mn.org (Shane P. McCarron)
Newsgroups: comp.std.unix
Subject: Standards Update, Part 10:  IEEE 1003.6;  Security
Message-ID: <286@longway.TIC.COM>
Date: 1 Jan 89 17:54:23 GMT
Sender: std-u...@longway.TIC.COM
Reply-To: Shane P. McCarron < a...@bungia.bungia.mn.org>
Lines: 194
Approved: j...@longway.tic.com (Moderator, John S. Quarterman)

[ These Standards Updates are published after each IEEE 1003
meeting, and are commissioned by the USENIX Association.
See Part 1 for contact information.  -mod ]


     An update on UNIX|= Standards Activities - Part 10

                    POSIX 1003.6 Update

                     December 18, 1988

           Shane P. McCarron, NAPS International

1003.6 - Security Extensions to POSIX

The 1003.6 committee met with the other POSIX committees in
Hawaii.  At this meeting they decided to divide the work
into different groups.  The groups were addressing: Audit,
Definitions, P1003.6 Scope, DAC, and Privileges.

Each small working group met every day, and on the morning
of the final day of the meeting a wrap-up session was held
to update all the members of each working group's progress.
The following information was presented:

   o+ Audit

       1.  Goals:

              - Satisfy TCSEC Requirement.

              - Reduce the amount of changes to POSIX as
                much as possible.

              - Primarily to make audit trail entries.

              - Portability for audit
                administration/analysis packages/private
                applications.

              - Audit Data Interchange Format.

       2.  Areas of Investigation:

              - Definitions

              - Event/Classes (what are they?)

__________

  |= UNIX is a registered trademark of AT&T in the U.S. and
    other countries.


                           - 2 -

              - Pre/Post Selection Criteria

              - SSO Interface

              - Subsystem Interface

              - Record/File Format

              - IDs (audit ids,...)

       3.  Future:

              - Detailed Input Requested

              - Interim Event/Classes

              - BNF for Audit Token Grammar

     Note that the administration interface issues have been
     considered to be a HANDS-OFF right now.

   o+ Definitions

     The following information was presented:

       1.  The structure of the definitions will be similar
           to 1003.1 structure: terminology section,
           conformance section, general terms, general
           concepts and acronyms.

       2.  The draft 0 definitions were based on four
           documents: ISO, ECMA, IEEE Std 1003.1-1988, and
           the Orange Book.

       3.  The GOAL of this group is to assure that 1003.6
           definitions are consistent and relevant to 1003.6
           areas without overstepping or duplicating
           existing definitions from other 1003.x groups.
           In case some of the 1003.6 definitions conflict
           with 1003.X ones, the action will be to propose a
           redefinition of the term.

   o+ P1003.6 Scope

     The proposed Scope was discussed and the conclusion was
     that it needed reworking. The area of I&A was
     considered not addressed, as well as trusted recovery
     (which the real-time people may need) and others.  In
     the draft a lot of the issues that will not be
     supported right now are marked so because of lack of
     experience or not enough technical maturity.  The


                           - 3 -

     important point is not if we have the experience or
     not, it is to be aware of areas where users want
     security, areas where the committee thinks security
     should be provided, and point them out in the Scope.
     If areas become a problem later, they can be dealt with
     at that time.

     For the next draft of the 1003.6 document, the table of
     contents will contain: Scope, Definitions, Feature
     Overview, Existing 1003.1 Functions, Existing 1003.2
     Commands, Section for Each Feature, and an Appendix.

     The Feature Overview covers a discussion, functional
     interface summary and command summary of each feature.
     Then in the feature section there will be the
     functions, commands, descriptions and security
     specifications.

     In the appendix there will be a rationale that maps to
     the document sections.

     It was remarked that all the future features such as
     Networking and System Administration should be
     annotated in an appendix as areas that will be covered
     as extensions.

   o+ Discretionary Access Controls

     This group was the one with the most activity,
     generating a lot of conflicting ideas even within
     itself.  However, they did resolve to put together
     first the Rationale section of the document and work on
     the agreeable parts, then later debate the contentious
     ones.  One of the conflicting topics was default Access
     Control Lists.  This is probably needed, but apparently
     will not be within the scope of the standard.

   o+ Privileges

     Privileges is a topic wrought with philosophy, and
     computer professionals love to be philosophers.  In
     spite of this, definitions of privilege and certain
     types of privileges were completed.  A paper from IBM
     was taken as a framework for the privilege section.
     During the meeting a few operations were identified as
     necessary, although the list is far from complete:
     getpriv, setpriv, enable/disable_priv, droppriv.

Another issue brought to the whole group was
Internationalization, and the decision was not to address it
as long as they can.  This is unfortunate, as the charter of


                           - 4 -

POSIX is to be as international as possible.  The 1003.1
committee learned the hard way that internationalization
cannot just be stapled on later.  It must be in there from
day one or it becomes extremely difficult to make it work.
In the case of security, labeling is an area in which
internationalization is a must.  If it is not placed in
there initially, it may never get in.

The upshot of all this is that the small groups produced the
guidelines for the next meeting and the topics that are
going to be covered for the near future.

This group has targeted mid-1990 for a complete draft ready
to ballot.  The Usenix Standards Watchdog Committee contact
for this group is Anna Maria de Alvare.  She can be reached
at:

          Anna Maria de Alvare
          Lawrence Livermore National Laboratories
          PO Box 808
          L-303
          Livermore, CA  94450
          +1 (415) 422-7007
          annama...@lll-lcc.llnl.gov
          uunet!lll-lcc.llnl.gov!annamaria


Volume-Number: Volume 15, Number 53

			  SCO's Case Against IBM

November 12, 2003 - Jed Boal from Eyewitness News KSL 5 TV provides an
overview on SCO's case against IBM. Darl McBride, SCO's president and CEO,
talks about the lawsuit's impact and attacks. Jason Holt, student and 
Linux user, talks about the benefits of code availability and the merits 
of the SCO vs IBM lawsuit. See SCO vs IBM.

Note: The materials and information included in these Web pages are not to
be used for any other purpose other than private study, research, review
or criticism.